Data Protection – GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) came into force on 25th May 2018 and affects every organisation in the world that 'processes' or 'controls' personal information relating to individuals in the EU. Many of GDPR's concepts and principles are similar to the Data Protection Act (DPA) however, there are new elements and significant enhancements which your organisation will need to implement.

Failure to meet regulations could be a hefty price to pay. Personal data breaches must be reported to the relevant supervisory authority within 72 hours of the breach. Failure to notify a breach can result in a fine of up to £10 million or 2% of global turnover. The fine can also be combined with the ICO's other corrective powers under Article 58. It's safe to say failing to meet the requirements is not worth the time it takes to review your archives.

What you need to know

Many organisations tend to ignore or put aside their paper archives. However, these paper records should not be overlooked. One of the most significant changes between the DPA & GDPR is the rights individuals will have over their personal information. In particular, GDPR provides the following rights for individuals:

The right to be informed

The right to be informed encompasses an organisation's obligation to provide 'fair processing information'. Information relating to identity, controller details and the purpose of processing data are just a few examples of when individuals must be informed.

The right of access

Under GDPR, individuals have the right to obtain confirmation that their data is being processed and access to the information itself. A copy of the information must be provided free of charge and without delay to the individual (within 1 month of receipt at the latest).

The right to rectification

Individuals are entitled to have their personal data rectified if it is inaccurate or incomplete. If your information has been disclosed to third parties, organisations must inform them of the rectification where possible.

The right to erase

Under GDPR, individuals have the right to 'block' or suppress the processing of personal data.

The right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. The personal data must be provided in a structured, readable form, including CSV files and must be provided free of charge.

The right to object

Individuals have the right to object processing based on legitimate interests, direct marketing and for circumstances, including processing for purposes of scientific/historical research and statistics.

For more information on GDPR, please refer to the Information Commissioner's Office guide at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

What is classified as personal data?

GDPR clarifies that the concept of personal data includes online identifiers and location data in addition to standard demographic information. This means that IP addresses and mobile devices are now included as personal data and must be protected accordingly. Genetic and biometric data, including gene sequences, fingerprints, facial recognition and retinal scans, are also classified as personal data and, therefore, subject to GDPR.

If your organisation is processing any data of the above requirements, you ARE affected by the General Data Protection Regulation.

Your solution

Now you have the knowledge to comply with GDPR; it's time to identify your solution.

Firstly, your organisation must decide on the dedicated person who is responsible for ensuring compliance is met. The selected employee must review all current and archived documentation asking themselves the following questions:

1. Can you access the information you need promptly and cost-effectively?
2. How long would it take you to find this information?
3. Do you know where this information is?
4. How many copies of the document exist?
5. Most importantly, can you adhere to GDPR if a customer asks you for the right to erasure and you cannot find the information?

If the answer is NO to any of these questions, changes need to be made to your organisation, including implementing an effective records management policy to ensure compliance is met.

Take control of your data by working with Storetec Services to discover your tailored scanning solution. Online access to digitised documentation enables you to take control, allowing for easy search with immediate and controlled access to the documents you need and access to full audit trails. Storetec Services can assist with the scanning of any type of documentation you may have, in addition to document storage, secure document destruction and cloud-based document management solutions.

If you would like more information on GDPR policies or advice on ensuring your company is compliant, please do not hesitate to contact us. Whether you require a quick chat or would prefer to have a face-to-face meeting, we can help.